In 2024, CISOs are facing a complex set of priorities competing for their attention, ranging from a constantly evolving threat landscape to managing the risk around implementing new technologies, like AI. As we mentioned earlier this year, one focus area for security leaders is improving their company’s operational resiliency in the event of a cyber attack or breach. Adding to the complexity are new security regulations, supply chain disruptions and unpredictable global events, as CISOs try to protect their organizations’ most valuable assets and maintain secure business operations.
Security leaders are also looking to harness the potential value of AI this year. For the first time, we offered Generative and Traditional AI as a priority in our annual Leadership Perspective Survey for CISOs, and it immediately moved into their top five priorities for 2024. CISOs are attempting to manage the risks, while also enabling and not holding back their organizations’ AI initiatives. In Gartner’s Top Strategic Technology Trends for 2024: AI Trust, Risk and Security Management, they report that AI initiatives “require a robust set of control measures for successful and durable deployment.”
CISOs are also enterprise business leaders, and like their C-suite peers, they are focused on optimizing costs and improving efficiencies. Even with the economy on more certain footing this year, security leaders need to communicate the value of security measures and manage resources effectively. In addition, they are trying to improve their alignment with the business to maximize the value and impact of cybersecurity.
Here, we take a closer look at security leaders’ primary goals and challenges in 2024, based on our annual Leadership Perspective Survey of 1,900 CISOs across Evanta communities.
Top Priorities for CISOs in their Security Function
This year, CISOs cited User Access, IAM and Zero Trust as their top functional priority, which represents a change from the past two years when Cloud Security, Strategy and Architecture held the top spot.
Cloud Security, Strategy and Architecture has moved to the #2 spot, perhaps because many organizations have already heavily invested in their cloud journey. Measuring and Communicating Risk, along with Third-Party Risk Management, continue to be top focus areas for security leaders and have consistently remained in the top five priorities for the past three years.
For the first time, Generative and Traditional AI joined the top five, coming in at #5, and demonstrating the increased importance of securing organizational AI initiatives.
Below, we dive into the top three priorities for CISOs in more detail, including what they report are the key opportunities and challenges in these areas.
Securing User Access & Improving Identity Access Management
User access has grown in importance to CISOs for the past three years. While the issue has consistently been in the top five priorities for security executives, this focus area is now taking the number one spot for the first time. One CISO shared that they are “facing a lot of challenges due to the landscape of applications and business scenarios,” and several pointed out that “legacy systems need to be addressed from an identity perspective.”
Another security leader noted that they are on a journey to improving identity access management: “We want to consolidate and improve the user experience and authentication process, and we’re looking at multi-year strategies to do this.”
These are CISOs’ specific goals and challenges in executing on user access, IAM and Zero Trust. The majority of security leaders cited mitigating risk as their primary objective. Their top challenge is legacy technology, but it is closely followed by technical debt and competing priorities.
Goals for User Access, IAM & Zero Trust
72% Mitigating risks
58% Improving processes and efficiencies
38% Improving employee experience
Challenges around User Access, IAM & Zero Trust
43% Legacy technology
42% Technical debt
42% Competing priorities
After our survey, we have hundreds of follow-up conversations between our teams and security leaders to learn in depth about their priorities. Here is a sample of what CISOs are saying about managing user access:
We have done heavy investing in IAM for better efficiency. But we are challenged by how to efficiently manage the hierarchy and access rights.”
Identity is a big focus. The bad guys are getting better at bypassing MFA [Multi-Factor Authentication].”
There are challenges to implementing Zero Trust for user access – trying to balance the user experience and productivity, while strengthening security.”
CISOs primarily want to learn more about user access, IAM and Zero Trust from a strategic perspective (79%), followed closely by an execution point of view (77%).
Strengthening Cloud Security, Strategy & Architecture
Many CISOs’ organizations have been on a cloud journey, keeping cloud security, strategy and architecture at the forefront of their focus areas for three years now. As one CISO said, “The cloud landscape is always changing and will continue to be a relevant topic for years to come.”
Another security leader shared that talent is an issue, commenting, “I’m curious about how people are handling cloud security posture management – the number of people who know how to do that are limited.” Last year, in a community pulse survey about talent, CISOs cited major concerns about recruiting skilled talent in the cybersecurity function.
In our survey, CISOs cited these specific goals and challenges in continuing to implement and improve their cloud security, strategy and architecture. Their main goal is to mitigate risks, and their primary challenge is the lack of skilled talent needed to accomplish their goals.
Goals for Cloud Security, Strategy & Architecture
62% Mitigating risks
49% Improving processes & efficiencies
44% Improving resiliency
Challenges around Cloud Security, Strategy & Architecture
49% Lack of skills
37% Lack of resources
37% Competing priorities
Here is a sample of what CISOs are saying about cloud security and strategies this year:
Keeping the threats in control with the cloud. We are early on the cloud transformation journey… and need to improve our grip on the cloud environment.”
We have immature cloud governance, and there was a lack of a cloud owner… Our actions are to establish cloud governance frameworks, while defining standards.”
There is a need for robust security strategies. I’m interested in leveraging AI and automated tools to enhance cloud security and reduce resource overhead.”
CISOs would like to discuss more about cloud security with their peers from a strategic perspective (84%), followed by an execution point of view (74%).
Improving Risk Measurement & Communication
Measuring and communicating risk is a consistent focus area for CISOs. They face ongoing challenges in finding the appropriate KPIs for risk management and in communicating complex security challenges to the board. In our follow-up conversations, security leaders also mentioned concerns with their ability to “sell the value” of risk management, with one CISO asking, “How do you communicate risk in a money value to the business?” Another executive shared that “a priority for me is to connect cyber risks to ROI.”
They consistently comment on communicating the right level of information about risk. One CISO said, “I’m not interested in scare tactics, but am keen to get proper buy in.” This year, others noted that they are trying to ensure they communicate about compliance effectively.
CISOs’ primary goals in this area are to improve their metrics (60%) and mitigate risk (60%). Their main challenge is all of the competing priorities in the security function.
Goals for Measuring & Communicating Risk
60% Improving metrics & KPIs
60% Mitigating risks
51% Making data-driving decisions
Challenges around Measuring & Communicating Risk
43% Competing priorities
38% Lack of resources
35% Company culture
CISOs shared more on their challenges to achieving better risk measurement and communication, including the following:
There is often a struggle between enterprise risk and communication with the board. How do we aggregate risk and translate it into a story the board understands?”
We need to sell risk. We need to identify the right strategies to address the topic with the board.”
Super meaningful communication is key. Insights are key. [Stakeholders] are only interested in reports that result in actions.”
CISOs want to discuss and learn more about measuring and communicating risk primarily from a strategic perspective (74%).
CISOs’ Priorities Across the Enterprise
In our survey, we ask CISOs about their priorities for the enterprise, in addition to their functional area. For the first time in recent years, CISOs report that increasing operational efficiencies and productivity is their top enterprise priority – consistent with their peers across the C-suite. Reducing risk – typically at number one – is their second highest priority across the enterprise in 2024.
Here is a snapshot of CISOs’ top enterprise initiatives compared to their C-suite peers’.
This year, CISOs cite driving growth at number three on their enterprise priority list. Optimizing or reducing costs dropped slightly this year to their fourth highest enterprise priority, possibly reflecting that managing costs is still important, but the economic environment has improved somewhat over last year.
The Outlook for CISOs
The CISOs’ role and their influence seem to grow as they work cross-functionally to protect the organization and maintain operations in an environment full of risks. Cyber risk is synonymous with business risk, and as such, their role is critical. The increased volume and importance of data has also elevated their role in securing the organization’s most valuable asset.
As companies try to innovate and remain competitive, CISOs are responsible for securing new tools and technologies. They are vocal in their survey comments this year about securing AI implementation and adoption, believing in some cases that executives are more focused on the opportunities AI presents than the risks. They remain positive, however, on the possibilities for AI applications in security, with one CISO commenting, “How can we treat AI as a security super power?”
Regulations and privacy also remain top of mind for CISOs in our conversations with them. Last July, the Securities & Exchange Commission adopted rules requiring public companies to disclose material cybersecurity incidents and to provide material information on cybersecurity risk management annually. As CISOs and their risk management and compliance counterparts attempt to fulfill these requirements, there has been a lot of interest in this topic among Evanta CISOs from publicly traded companies.
To stay up-to-date with your CISO peers on these topics and more, join a regional Evanta CISO community near you. If you are already a community member, explore an opportunity to connect with other CISOs through the MyEvanta membership app.
This article is an update to a previous report, which you can find here: Top 3 Goals & Challenges for CISOs in 2023.
Based on 1,900 CISOs’ responses to Evanta’s 2024 Leadership Perspective Survey.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.